Back to skill

Security audit

ERC-8004 Trustless Agents

Security checks across malware telemetry and agentic risk

Overview

The skill appears aligned with ERC-8004 blockchain registration, but it handles raw wallet keys and live on-chain/public uploads with too little scoping and warning.

Install only if you are comfortable with a script that can sign live blockchain transactions. Use a dedicated low-value wallet, do not use a primary funded key, review every command before running it, verify the Foundry install source, and treat anything uploaded to Pinata/IPFS or written on-chain as public and difficult to undo.

SkillSpector

By NVIDIA
Vulnerability Patterns
  • Data ExfiltrationExternal Transmission, Env Variable Harvesting, File System Enumeration
  • Supply ChainUnpinned Dependencies, External Script Fetching, Obfuscated Code
  • Excessive AgencyUnrestricted Tool Access, Autonomous Decision Making, Scope Creep
  • MCP Least PrivilegeUnderdeclared Capability, Wildcard Permission, Missing Permission Declaration
  • Prompt InjectionInstruction Override, Hidden Instructions, Exfiltration Commands
Findings (9)

Lp3

Medium
Category
MCP Least Privilege
Confidence
85% confidence
Finding
The skill advertises shell-based commands and operational procedures but does not declare corresponding permissions or clearly scope those capabilities. In an agent setting, hidden or undeclared execution capability reduces user visibility and can lead to commands being run with more authority than expected.

Context-Inappropriate Capability

Medium
Confidence
88% confidence
Finding
The utility auto-loads a private key from a fixed local path and exports it into the process environment, expanding credential exposure beyond explicit user intent. In a skill meant for registry/reputation interactions, implicit key discovery is risky because any downstream script invocation or subprocess can access the key once exported.

Missing User Warnings

Medium
Confidence
95% confidence
Finding
The README tells users to export a raw private key into an environment variable without any warning about credential sensitivity, shell history, process inspection, or safer alternatives. In a skill specifically meant for on-chain agent registration on Ethereum mainnet, this can lead to accidental key exposure and direct loss of funds or unauthorized transactions if users follow the example on a hot wallet or funded account.

Missing User Warnings

Medium
Confidence
94% confidence
Finding
The skill shows mainnet registration and update commands as quick-start actions without warning that they perform live on-chain writes, may cost funds, and are difficult or impossible to reverse. Users may execute them in a routine workflow and unintentionally spend ETH or permanently publish incorrect metadata.

Missing User Warnings

Medium
Confidence
96% confidence
Finding
The documentation directs users to place a private key in a file or environment variable and to configure an IPFS upload token, but it omits operational safety guidance for handling these secrets. In agent or automation environments, this can lead to accidental credential exposure through logs, shell history, repository commits, or overbroad filesystem access.

Missing User Warnings

Medium
Confidence
91% confidence
Finding
Reading a private key from disk and exporting it without a clear warning or explicit consent creates a stealthy secret-handling path that users may not realize is occurring. This increases the chance of accidental signing-key exposure through shell history, environment inheritance, debugging output, or child processes.

Missing User Warnings

Medium
Confidence
82% confidence
Finding
The function uploads an arbitrary file to Pinata, a third-party service, with no confirmation, content validation, or warning that the data is leaving the local environment. Since IPFS pinning can make content broadly retrievable and effectively persistent, users could unintentionally disclose sensitive metadata or credentials.

External Transmission

Medium
Category
Data Exfiltration
Content
local file="$1"
    
    if [[ -n "${PINATA_JWT:-}" ]]; then
        local response=$(curl -s -X POST "https://api.pinata.cloud/pinning/pinFileToIPFS" \
            -H "Authorization: Bearer $PINATA_JWT" \
            -F "file=@$file")
        echo "ipfs://$(echo "$response" | jq -r '.IpfsHash')"
Confidence
77% confidence
Finding
https://api.pinata.cloud/

External Script Fetching

High
Category
Supply Chain
Content
## Dependencies

- `cast` (Foundry) - `curl -L https://foundry.paradigm.xyz | bash`
- `jq` - `brew install jq`
- Private key in `~/.clawdbot/wallets/.deployer_pk` or `PRIVATE_KEY` env
- IPFS: Set `PINATA_JWT` for uploads, or upload manually
Confidence
98% confidence
Finding
curl -L https://foundry.paradigm.xyz | bash

VirusTotal

64/64 vendors flagged this skill as clean.

View on VirusTotal

Static analysis

No suspicious patterns detected.